first you should mark packets in postrouting chain for what you need forward chain dont touch local trafic, which is your proxy. next, since you redirect packets to port 3128 you should match on this port not on 80. but then you will mark all packets from port 3128 no matter they are redirected or not. (all proxy trafic will be marked) Also you can simply match with tc on port 80, since tc is after nat and it will see the same port the user will see. for such simple setup no marking is nesecary. ----- Original Message ----- From: "Enrico Demarin" <enricod@xxxxxxxxxxxx> To: <lartc@xxxxxxxxxxxxxxx> Sent: Monday, March 22, 2004 4:35 PM Subject: Fwmark and REDIRECT rules > Hi , > > this is the situation , I am using a Linux gateway to shape the outbound > traffic coming from a LAN, configured ( for example ) as following ( > using htb ): > > > ETH0 ( public interface ) > > > 1 ROOT class rate 10240 kbit, ceil 10240 > > 2 LEAF class rate 8192, ceil 8192 > > 3 LEAF class rate 2048 , ceil 2048 > > ETH1 ( LAN ) > > Then i define the following rules : > > tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x10 fw > flowid 1:2 > > tc filter add dev eth0 parent 1:0 protocol ip prio 0 handle 0x20 fw > flowid 1:3 > > And set the iptables rules to assign the fwmarks : > > /sbin/iptables -t mangle -F mygroup > /sbin/iptables -t mangle -X mygroup > /sbin/iptables -t mangle -N mygroup > > /sbin/iptables -t mangle -A FORWARD -i eth1 -o eth0 -j mygroup > > /sbin/iptables -t mangle -A mygroup -p tcp -m tcp --dport 80 -j MARK > --set-mark 0x20 > /sbin/iptables -t mangle -A mygroup -p tcp -m tcp --dport 80 -j > RETURN > > /sbin/iptables -t mangle -A mygroup -j MARK --set-mark 0x10 > /sbin/iptables -t mangle -A mygroup -j RETURN > > In theory , this should assign all packets with dest port 80 forwarded > from eth1 to eth0 to the 0x20 class, and the rest to the 0x10 class. > > And it works, until i do something like this : > > iptables -t nat -A PREROUTING -p tcp --source 10.1.0.0/24 --dport 80 -j > REDIRECT --to-ports 3128 > > to set up transparent proxy redirection to the local squid ( 10.1.0.0/24 > is the subnet of eth1 ). > > The redirection works but no packets end up in the 0x20 class. > > Any way to shape even transparent-proxied traffic ? > > thanks, > Enrico > > > _______________________________________________ > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/